Analysis

  • max time kernel
    143s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:25

General

  • Target

    JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe

  • Size

    1.3MB

  • MD5

    85bfeb89da4faf43dbf03e1bfc1e65ee

  • SHA1

    613fa3f36a79e9eb2f58e14296d807641d4ea19c

  • SHA256

    4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2

  • SHA512

    3e379299ff10d496208a3b445f1ecf87bf76e795ee386aac95486856d27bb443d02a00fcbe1e1206d18e717e7b275971305057dd59c414d67e7b152d3b06452d

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4896fe9c5f16943cf1d47cf1029e4ccf317b811f7b0aac3f77ec53cf75df2ef2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UOph32PSWo.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2340
              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2696
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
                  7⤵
                    PID:2980
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:840
                      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2996
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
                          9⤵
                            PID:944
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2620
                              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2936
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
                                  11⤵
                                    PID:1828
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:912
                                      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1728
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
                                          13⤵
                                            PID:2956
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2824
                                              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2876
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
                                                  15⤵
                                                    PID:2288
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:956
                                                      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2612
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
                                                          17⤵
                                                            PID:1676
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:960
                                                              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1300
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
                                                                  19⤵
                                                                    PID:2552
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2668
                                                                      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                                        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1728
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
                                                                          21⤵
                                                                            PID:2740
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:880
                                                                              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                                                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2756
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                                                                                  23⤵
                                                                                    PID:1840
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:1412
                                                                                      • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                                                        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2628
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
                                                                                          25⤵
                                                                                            PID:1716
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:2872
                                                                                              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe
                                                                                                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3028
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2472
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1404
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1168
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1176
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2512
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2180
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1072
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2772
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Help\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:808
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2080
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2244
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2492
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:264
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2348
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1568
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2160
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2324
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2416
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:392
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3024
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1016
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2968
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2496

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1773cc5d54586da7d2886461d11b28e4

                                              SHA1

                                              98f527d2dda398c15f73bdf80e1c513346d02dff

                                              SHA256

                                              94b5efa76e05aeecff0123b182ec7e30a4df4d94218f1eff18cdfb80fa57fe8a

                                              SHA512

                                              8b9a88026551a2aa9c6cb77fedc26c7e6ccccea10aa2808fc434437a4381e0a010613f26a4ddf888e045b5c991a768a550111480ffbe30dc493433ed1f35fa99

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8e75a0a883674253ee6bae83d3dae268

                                              SHA1

                                              5fe90f5b1506771771bc8073434da50dc538b741

                                              SHA256

                                              e0793aab59e8007c277992d66c86a6c43d4e25273d2e8ac8a9cb45277a475877

                                              SHA512

                                              2194488836d22fa7b4e21158eb90331ccdffcc6f32cbcc29485de19f95b6eac4aeaf3b669f13c933c72c667d59e32456942bebe47d9ceb08b972e0a43560d8d1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              25ada3b95a383df041681278cd8c8375

                                              SHA1

                                              034c9744b622488821e89b1aba2cae28ca8bb87b

                                              SHA256

                                              44379f96ec8b49acb1e3be94f987e7ee902105713c2c5a533bb003c6ab177664

                                              SHA512

                                              bb5dee1572ebbb9396ce3f401b466b9d5c9752c9f9b8d64ef8c3dd1e0b3e2263a2b96aedc7107779a34e540ebd823f4f91019708a9f2e4989e41b4d35339a908

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              6229534acae9ff959fb83bbc48c8c293

                                              SHA1

                                              a75f7a20a80ae128716aeed19fe8948203fce584

                                              SHA256

                                              c793969f7253c2df0b69d77fbff979ed35c8cefce469878f8b0d1a37df1553fe

                                              SHA512

                                              1d94953e5325b23e3dd35ca87b7b1adfaf9e6bcf7c68835f4aeecb4bc60e4baaa2a0dfd3d6d898de3422b6bf13c514cc2453b767bb442cf8f276f79894175a3b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              0ea542ce880f9c4652188117ccc1349d

                                              SHA1

                                              853a7ffd3e112d1d903a6334e8371110e7feef9c

                                              SHA256

                                              51c2b9ba11c59eb63818fb59bfc7cdac10d00991200dd6804655d4cc19483ddd

                                              SHA512

                                              378000003ee6ca7d521165d098eb484930999d7056c80877543ca35316eae6c5fa9c6d2edb885748dcb2f665e3ee0b3d2cb89ed8c0207fa49e7e77ac8303f813

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              758690fe71e6d5f13746492f405b8db2

                                              SHA1

                                              e40e2688a255628671632a633f81e1d2e358a844

                                              SHA256

                                              aa059934e463ddf65a35f5800d8bb3af084146c77d875c7b388af37fd22fd314

                                              SHA512

                                              4b8e4dc490a5c3a4fa853b5cc96e16ef2724a66e61b0b18f2d31c74de518563e3ceb5e1715deb9953e3d09b0fb629ea057c74696873677bb3809246510023271

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3af6d5e58a4b05bc98210c7312d49eb8

                                              SHA1

                                              f2ae69e9648b6e270f8801c4e450770a13357e27

                                              SHA256

                                              0c3c2852f12c9efeb6c0e1ee4f879b60cfc66f26cc093b477900ce630d0be5b4

                                              SHA512

                                              d2e4b1ca44417dd5296c3bd188acea8cf07a77d21d4a6e1e8d6951846a0cdd844d95b487df063fdf5151234e777f198862436fe5f7c221eda3bce9b5e11cac3a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              aa86db3309630594081e41eaef1b6ead

                                              SHA1

                                              4a38e2b2195dbb5a3700a2d7c7b4d626773d3440

                                              SHA256

                                              50591947124d5c543527168b0a4b9c67c312ff8118b88498e48379f41b1ca470

                                              SHA512

                                              41b7d58737a3dfc90d1ea56f43d6520f9ff7f0e15595680f368b72b9e856aa151053085c0093c766417c8865e99f726d40fa889ea9edd17f86b37b61a84a66e3

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              5a5275be2c644b9c20646120bc107bf4

                                              SHA1

                                              05223794f0409c2101e4ff76d341d018431efb0a

                                              SHA256

                                              4b6bbbb03986ffeb8e59fffbc64eb7478313ed9fa316fb9cb88c5b99447b7578

                                              SHA512

                                              3389b8236f8268e942760c9bd4ee0ad05c2e9631e03438d1df6538e11649effd66e650faa8f425b68f44b4a85ce770195854ec84b2587d81dda240c08ba0627a

                                            • C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

                                              Filesize

                                              225B

                                              MD5

                                              8ddcd59d027c520eb7f44a873bb2167c

                                              SHA1

                                              30082de5c83f71af3975b42f2b6e12d51a8deae1

                                              SHA256

                                              b6c422682a2b33f3f99485c0db60cd07206ffdd657676467c68bc4a9142c0a29

                                              SHA512

                                              14803c3e083d93e1cf697b83ace2fcb4886a7222941bd64b2e3aa15c1721c5afefe89fb5f023a1f90e6cf36e850e852e2ca525daf859a27d61f81fab0ec717dc

                                            • C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

                                              Filesize

                                              225B

                                              MD5

                                              934de37a707d8dfbab8555823a8451d5

                                              SHA1

                                              3b66572ea0ae01ded5e106d588e749cab69a4dcd

                                              SHA256

                                              5b9e99099e4cafda6d1f727a67cb928d64dcec61ca8883754c963e2e71ca3694

                                              SHA512

                                              a4afaa692aa0f85ab8912a9ddd5a5c5dac8f53e4618d0738b9f81f5c34b9ecd6e2a35b9e041d10266cbf5c05ffcbcf07a405604a8151391c781e0a839cb90b36

                                            • C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

                                              Filesize

                                              225B

                                              MD5

                                              98dfa4ac5619c84ce66172ae63f3a4cb

                                              SHA1

                                              5e41761a7b3418f8f4f1845d1897a8977183e421

                                              SHA256

                                              6123a83ac659337c959e2b715120c46c8b89f83fea4f3ec32fcc560c15f3672a

                                              SHA512

                                              7f6d8ac42ed3dd5a1e78212159dcf26f1d8ddef753d7fa4a0a9e31c0c31a6d8146d8832dbe361f3693fa0c8a5aec82bca401e25edc04859b3f5d1a2f13dae74f

                                            • C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

                                              Filesize

                                              225B

                                              MD5

                                              629a81f8ae75cd6895497d46a1f1d4fa

                                              SHA1

                                              766c91ce77ef116f5e5710af65668e635a9135b8

                                              SHA256

                                              1b725d421c72f4cd805154296862ab56963c41ba9dd9e2183dfd11a4e0782c15

                                              SHA512

                                              2b48986a39aa5c9d09cbdc2e94ac2a3f9bbdd5fe99dbbfd4d30e1f560e66474c4a224429c0f4da86009416afb148700cc1f14bd6f90a7a01ba375cd70932f1e4

                                            • C:\Users\Admin\AppData\Local\Temp\CabA98A.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                              Filesize

                                              225B

                                              MD5

                                              819c0348ef991d23837517eccfb140ae

                                              SHA1

                                              dcefed9c6a569af99bb665ca2bbdce47fd2e9cf4

                                              SHA256

                                              6801e3dd096c820ec47ff16d196850f62b889eab02d6de6ec0748c849f329fe2

                                              SHA512

                                              f73b6d0a56b63b6af3bc2fd74a4f1483c1e9f12ece93e300665814e6e26076eb84db326a006812b34292d19bfcc46668ea3f840575f20c59b5f9bb279a49bb2e

                                            • C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

                                              Filesize

                                              225B

                                              MD5

                                              a04083c2f45962e8354bf6693b837efe

                                              SHA1

                                              126fe72fe575969d1b561d861bdead00057d015a

                                              SHA256

                                              0ad366c7e8ce71d8ce2a7a1f49324f0e61e6ace57519a93b8f061eec8d663d80

                                              SHA512

                                              3b074067478861e42f1373e129674a4167986fd10dbcbe761244481107b703afdb3813b628ab1df2b400bdc3dde8801b0e28c9bdd49acd1df29bff05d1d3de4d

                                            • C:\Users\Admin\AppData\Local\Temp\TarA99D.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\UOph32PSWo.bat

                                              Filesize

                                              225B

                                              MD5

                                              bd6548b760195415e874067664e046a6

                                              SHA1

                                              27cff685ba4a527aa973674bc105d3b683ae3f75

                                              SHA256

                                              6ad8b447df902a84aff54f2ee59f4949cc108de9e3dba6bb95fe9a4b10304725

                                              SHA512

                                              688f77c81f9abab8306e6a0fb85d7864e0c55a3db8db04a44ccac2656287d29c1bbdb1f643d843a724424c88a4d715cd6e12eb1473d5132c43772107c034b4c3

                                            • C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

                                              Filesize

                                              225B

                                              MD5

                                              4e55d4176a96bc1ccf4e13a71021d182

                                              SHA1

                                              95ef4799c821000e8f75f241b67068c52379716b

                                              SHA256

                                              6917d683e362dee4682de1f77b44e040e3528325e49b08fa819d8cf3d5d010be

                                              SHA512

                                              87c1adc69655e2d362ea178ed62b1a335b8daf934cbffc60e3d4d990a4c55e43cd32e40e57ef9f065489e4e78ad2486d7c860196e0e3a83ae15501093ceab40e

                                            • C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

                                              Filesize

                                              225B

                                              MD5

                                              c4bf37fa229eb8912f8df61e6fe32bc6

                                              SHA1

                                              ed7b5e29166d38150251e5337fa050fa9883a4dd

                                              SHA256

                                              9d342bd8c5d74d1245a39f3d099eaffc665e92f9d217aafbebd7d12208baf973

                                              SHA512

                                              a6c270083e357afd6e937eca217a901fb6f14016b5cb7d0d6cd23952515728b2165f13310ace3e606526a0e3f6f851df19298445ff0d1cd16c9e91caf5306745

                                            • C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

                                              Filesize

                                              225B

                                              MD5

                                              f3cafe12f00b51efeafd3dd29e090ba9

                                              SHA1

                                              cea8ae8b3e8c15e9261e6662a34277cb7f5b34ba

                                              SHA256

                                              be5b9ce8ee83cea393fbe1555990361d45c37d0e7ddec2b06fda2a5d936399ca

                                              SHA512

                                              3c3e7e24d7630e4eb6483bf42c14532c0ab424b63efb0654ec868ec6371e25b6b064ca38b7f3368d704407ea1ffab34ddad859b8fdb6940dd01a9e9f53ab9a76

                                            • C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

                                              Filesize

                                              225B

                                              MD5

                                              7fa15b3da8a2611627734b6442a89fd8

                                              SHA1

                                              0d37e8f3ec8267ec95e9acbecb91984f493d43ed

                                              SHA256

                                              54fbc67fd1eb6df4b0ce412c211f99c2aca52a13f8ed50dd955b581aa2cb99d3

                                              SHA512

                                              fb7ab19f6c609754e294996695a7388e837ff1bc015ca20d3f6f5966cdb5b5143b5ad1c0af17c8cdd0c0531bbbdcee2bbce19f5c7a7d53c5155c6b84af75f529

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GYN3UG5P3S1RQYOGNMGV.temp

                                              Filesize

                                              7KB

                                              MD5

                                              31710eddb48b0a354640a3e8c181eb34

                                              SHA1

                                              db5606ce64edc0fa810797cda5880f9ea312c01a

                                              SHA256

                                              96913f8e58d70869a11c7657253bf67fa9b79142b9ebb0434e82490b5c278cba

                                              SHA512

                                              57a931e67efa9987f0231de19503ac96e6ad68abbc5d71f2d60ad0ae7ac6bbebe24f83c28d9de8172f2410e0f0a0647b365332d863206f97c9f55fa52b0ddc99

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/756-64-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/756-70-0x00000000022B0000-0x00000000022B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1300-487-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1728-547-0x00000000012B0000-0x00000000013C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1728-307-0x0000000000260000-0x0000000000370000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2612-427-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2696-129-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2756-607-0x0000000001300000-0x0000000001410000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2804-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2804-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2804-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2804-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2804-13-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2876-367-0x0000000001240000-0x0000000001350000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2996-188-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                              Filesize

                                              1.1MB